Appi. No: 09/759,089 

Reply to Final Office Action of November 29, 2006 

Amendments to the Claims: 

This listing of claims will replace all prior versions and listings of claims in the 
application: 
Listing of Claims: 

1. (Currently Amended) In a computer network, a method for maintaining an 
acceptable use policy comprising: 

receiving input from a user selecting a subject matter category for use in 
monitoring network communications; 

monitoring TCP/IP network communications; 

storing raw TCP/IP session data of said TCP/IP network communications on 
disk, even when the communication does not conform to a known protocol; 

testing the stored communications for the presence of at least one preselected 
criterion, wherein the preselected criterion is defined by a user, is associated with the 
user selected subject matter category, and comprises one or more regular expressions 
and wherein the raw TCP/IP session data including all TCP control and payload data 
is tested for the presence of the at least one preselected criterion; 

deleting the communications if the presence of said at least one preselected 
criterion is not determined; and 

storing the communications if the presence of said at least one preselected 
criterion is determinedO ; 

wherein the preselected criterion com prises m t wo or more subject matter 
categories; 

wherein said subject matter categories comprise regular expressions: 

wherein a first portion of said regular expressions are assigned weights with 

negative values and a second portion of said regular expressions are assigned 

weights with positive values; and 
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wherein regular expressions within a subject matter category having a negative 
value are processed before regular expressions having a positive value. 

2. (Canceled) 

3. (Canceled) 

4. (Canceled) 

5. (Canceled) 

6. (Currently Amended) The method of claim [[2]] 1_, wherein the preselected 
criterion is weighted. 

7. (Canceled) 

8. (Canceled) 

9. (Currently Amended) The method of claim [[4]] 1, further comprising 
prioritizing the order in which regular expressions within a subject matter category are 
tested. 

10. (Previously Presented) The method of claim 9, wherein said prioritizing 
reduces the likelihood of false hits. 

11 .(Cancelled). 

12. (Previously Presented) The method of claim 1, wherein the computer 
network is a wide area network. 

13. (Previously Presented) The method of claim 1, wherein the computer 
network is a iocal area network. 
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14. (Previously Presented) The method of claim 2, wherein the presence of the 
preselected criterion in at least one of said categories comprises a match in a plurality 
of categories, 

15. (Previously Presented) The method of claim 2, wherein said subject matter 
categories comprise key words. 

16. (Cancel!ed), 

17. (Previously Presented) The method of claim 2, further comprising assigning 
a threshold value to each subject matter category. 

18. (Previously Presented) The method of claim 17, wherein at least some of 
said subject matter categories comprise one or more predetermined expressions. 

19. (Previously Presented) The method of claim 18, further comprising receiving 
user input assigning a value to said predetermined expressions, 

20. (Previously Presented) The method of claim 19, further comprising summing 
the values of said predetermined expressions, 

21. (Previously Presented) The method of claim 20, wherein said 
communication is further stored if the sum of the values of said predetermined 
expressions comprising a subject matter category equal or exceed the threshold value 
assigned to said subject matter category. 

22. (Previously Presented) The method of claim 21 , wherein the threshold value 
of at least one subject matter category comprises equaling or exceeding the threshold 
value in a plurality of subject matter categories. 

23. (Previously Presented) The method of claim 21, wherein said threshold 
values assigned to said subject matter categories are variable. 

4 



\\\BO - 021 738/000002 - 1 84448 v1 



Appl. No: 09/759,089 

Rep^y to Final Office Action of November 29, 2006 

24. (Previously Presented) The method of claim 18, wherein said subject matter 
categories have a hierarchical relationship. 

25. (Previously Presented) The method of claim 24, wherein said hierarchical 
relationship comprises defining the threshold value for at least one subject matter 
category as the presence of predetermined expressions in a plurality of other subject 
matter categories. 

26. (Previously Presented) The method of claim 24, wherein said hierarchical 
relationship comprises defining the threshold value for at least one subject matter 
category as matching or exceeding the threshold value assigned to a plurality of other 
subject matter categories. 

27. (Previously Presented) The method of claim 1, further comprising outputting 
a report relating to the presence of said at least one preselected criterion, 

28. (Previously Presented) The method of claim 27, wherein said report 
identifies individuals whose use of the computer network included communications 
which matched preselected criterion. 

29. (Previously Presented) The method of claim 27, wherein said report 
identifies network addresses where communications were received or originated that 
included matched preselected criterion. 

30. (Previously Presented) The method of claim 2, further comprising outputting 
a report relating to the presence of preselected criterion, wherein said report identifies 
the number of matches in a category. 

31. (Previously Presented) The method of claim 30, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
user interface in a form matching that generated or viewed during the monitored 
TCP/IP network communications, 
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32. (Previously Presented) The method of claim 27, wherein said report 
provides the text of all communications that match said preselected criterion, 

33. {Previously Presented) The method of claim 27, wherein said report is in a 
human readable format and at least a portion of the stored communications is 
provided in the report in a form matching that generated or viewed during the 
monitored TCP/IP network communications. 

34. (Currently Amended) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing data on a network, wherein the data comprises multiple half sessions 
of TCP/IP network communications; 

removing data content that does not contain language elements; 

testing the remaining content for the presence of predetermined expressions, 
wherein the predetermined expressions comprise two or more categories each 
containing predetermined expressions that are defined by a user; 

maintaining a sum of values associated with said predetermined expressions 
found within at least one category; and 

storing the remaining data if the sum of values associated with said 
predetermined expressions within a category meets or exceeds a threshold value 
selected based on user input; 

wherein said expressions are weighted with either positive or negative values; 

wherein the negative valued fegutef expressions are tested first; and 

wherein the testing and the maintaining are halted and the storing is performed 
when the sum of values within a category meets or exceeds the threshold value, 

35. (Previously Presented) The method of claim 34, wherein said computer 
network is a wide area network. 

36. (Previously Presented) The method of claim 34, wherein said computer 
network is a local area network, 
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Claim 37-41 (Cancelled). 

42. (Previously Presented ) The method of claim 34, wherein said negative and 
positive valued regular expressions are separately tested in the order of largest value 
to smallest value. 

43. (Cancelled) 

44. (Previously Presented) The method of claim 34, wherein said expressions 
include regular expressions. 

45. (Previously Presented) The method of claim 34, wherein the threshold value 
for at least one category comprises meeting or exceeding the threshold value for a 
plurality of other categories, 

46. (Previously Presented) The method of claim 34, wherein the threshold value 
of at least one category comprises meeting or exceeding the threshold value for at 
least one other category and not meeting or exceeding the threshold value for at least 
another category. 

47. (Previously Presented) The method of claim 35, wherein said threshold 
value for a category is variable. 

48. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions. 

49. (Previously Presented) The method of claim 48, wherein said report 
identifies individuals whose use of the computer network included communications 
which matched predetermined expressions. 

50. (Previously Presented) The method of claim 48, wherein said report 

identifies network addresses where communications were received or originated that 

included matched predetermined expressions. 
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51 .(Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions, wherein 
said report identifies the number of matches in a category. 

52. (Previously Presented) The method of claim 50, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
user interface in a form matching that generated or viewed during the monitored 
TCP/IP network communications. 

53. (Previously Presented) The method of claim 48, wherein said report 
provides the text of all communications that match said predetermined expressions. 

54. (Previously Presented) The method of claim 48, wherein said report is in a 
human readable format and at least a portion of the stored communications is 
provided in the report in a form matching that generated or viewed during the 
monitored TCP/IP network communications, 

55. (Previously Presented) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing TCP/IP data on a network; 

removing data content that does not contain language elements and storing a 
remaining content comprising a string of language elements separated by spaces 
without regard to original formatting of the captured TCP/IP data; 

defining categories with weighted predetermined expressions, wherein the 
predetermined expressions are defined by a user; 

testing the remaining content for the presence of predetermined expressions; 

maintaining a sum of values associated with said predetermined expressions 
found within each category; and 

storing the remaining data if the sum of values associated with said 
predetermined expressions present within a category exceeds a threshold value. 
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56, (Previously Presented) The method of claim 55, wherein said remaining data 
is stored only if the sum of predetermined expressions exceeds the threshold value in 
a plurality of categories. 

57, (Previously Presented) The method of claim 55, wherein the threshold value 
for a category is defined as the presence of no predetermined expressions, 

58, (Previously Presented) The method of claim 55, wherein said computer 
network is a wide area network. 

59, (Previously Presented) The method of claim 55, wherein said computer 
network is a local area network, 

60, (Cancelled). 

61, (Previously Presented) The method of claim 55, further comprising 
outputting a report relating to the presence of predetermined expressions whose sum 
meets or exceeds the threshold value of a category. 

62, (Previously Presented) The method of claim 61, wherein said report 
identifies individuals whose use of the computer network included communications 
which contained predetermined expressions whose sum matched or exceeded the 
threshold value of at least one category. 

63, (Previously presented) The method of claim 61, wherein said report 
identifies network addresses where communications were received or originated that 
included predetermined expressions whose sum matched or exceeded the threshold 
value of at least one category. 

64, (Previously Presented) The method of claim 63, wherein said report is in a 
graphical format and at least a portion of the stored communications is displayed in a 
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user interface in a form matching that generated or viewed during the monitored 
TCP/IP network communications. 

65 (Previously Presented). The method of claim 1 wherein at least one stored 
half session comprises a plurality of independent parts, and the testing is performed 
individually on each independent part, 

66(Previously Presented). The method of claim 65 wherein the independent 
parts comprise individual email messages. 

67(PreviousIy Presented), The method of claim 65 wherein the independent 
parts comprise message attachments. 

68 (Previously Presented). The method of claim 1 further comprising; 

prior to the testing, attempting to identify a protocol by comparing the stored 
TCP/IP network communications with known protocol patterns, wherein when the 
attempting results in one of the known protocol patterns being identified, the testing of 
the stored communications involves testing of each independent part of the stored 
TCP/IP network communications associated with the identified one of the known 
protocol patterns. 
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